LDAP Import - Server Options

Use the Import Options page to select the type of LDAP import you would like to perform, set up a schedule, enter LDAP search settings, and define logging.

Note: This section describes options applicable to all import types.

For information about options for specific import types, refer to:

Import users from LDAP - Refer to Options for Importing Users from LDAP.
Import contacts from LDAP - Refer to Options for Importing Contacts from LDAP.
Update from LDAP - Refer to Options for Updating from LDAP.

LDAP Scheduling Options

This section enables you to schedule LDAP imports and updates. For example, if you want to ensure that SBM user data is synchronized with your LDAP user data, create a schedule that will automatically update your SBM users from LDAP on a recurring basis.

Tip: You must enter valid LDAP search settings before you can schedule an import or update task.

Status messages for scheduled imports and updates appear in the Notification Server log file (click Open Log in the Notification Server tab in SBM Configurator to view the messages).

After you have defined one or more LDAP option sets, click Add (+) to launch the scheduler. In the LDAP Scheduling dialog box, select an LDAP Option Set to schedule, enter the desired frequency that it should execute, and then click OK.

To delete an existing schedule, select the schedule, and then click Details or double-click. In the LDAP Scheduling dialog box, click Remove schedule, and then click OK. A summary of the scheduled import or update appears in the Scheduling section.

LDAP Search Settings

Save LDAP import option sets so that you can reuse them for scheduled imports and for updating user account and contact data. Server information, user and contact attribute mapping, and template user settings are saved with the import option set.

LDAP Option Set
Use the following options to manage and reuse LDAP search option sets. LDAP option sets marked with an asterisk indicate that they are currently used by a scheduled import or update.
- Add (+)
  Select this icon to clear existing search settings and create a new LDAP search option set.
- Save ()
  Select this icon to save settings as an LDAP search option set.
- Delete ()
  Select this icon to delete an LDAP search option set.
Server
Specify the server name, IP address, or fully qualified domain name of the LDAP server. If your directory is replicated on more than one server, list each server's name separated by a space. If a replicated server uses a different port than is specified in the Port box on this dialog box, type :portnumber after the server name.
Port
Specify the port number of the directory server. The default setting for LDAP using clear text is 389; the default LDAP port for Secure Sockets Layer (SSL) is 636. You can specify a different port if necessary for your installation.
Secure connection
Select this check box to connect to LDAP via Secure Sockets Layer (SSL). If this check box is selected, the Port setting automatically changes to 636, which is the default LDAP port for SSL. You can alter this value if necessary.
Tip: SSL is less efficient than the clear text authentication method because response times may be slower. For best results, use the unencrypted bind whenever possible. If your SBM server and directory server are local to one another, it may be unnecessary to use SSL.
Certificate location
This field is enabled if the Secure connection check box is selected. Enter the full path to the certificate on the SBM Application Engine Web Server. This certificate is used by Application Engine for Web service authentication requests that do not have SSO security tokens. SBM accepts the following encoded certificates:
- A DER-encoded root certificate for the issuer of the LDAP server certificate. If you choose to specify a DER-encoded certificate, it must be the root certificate authority (CA) certificate, and the LDAP server must be configured to transmit all other certificates in the chain of trust during the SSL handshake.
- A PEM-encoded file that includes the root CA certificate and, optionally, any intermediate CA certificates in the chain of trust. If a multi-step SSL chain of trust must be honored by SBM to connect to LDAP, you can specify a single PEM file that contains the root CA certificate and any intermediate CA certificates. If there are intermediate CA certificates that are not included in this file, the LDAP server must be configured to transmit those certificates during the SSL handshake.
  Important: The LDAP server must not require client authentication, as SBM does not supply a client certificate.
Search Base
Type the Directory root at which searching for user information will begin. All nodes at and beneath the base are searched for records of users being authenticated. The search timeout period is 30 seconds.
Search Filter
Select one of the provided search filters or type your own search filter. The search filter is used to authenticate users and for mapping and updating user information. The search filter must contain one or more format specifiers ({0} for the first, {1} for the second—if needed), which are replaced by SBM at runtime with the SBM login ID of the user being authenticated. For example:
```
(&(objectClass=user)(sAMAccountName={0}))
```
In this case, when user "Joe Smith" attempts to log in, the {0} specifier is replaced by his SBM login ID jsmith and he is authenticated against LDAP. The authentication will succeed if the SBM login ID matches his LDAP sAMAccountName value and he provides the proper password.
Follow Referrals
Select this checkbox to enable LDAP referrals. This feature can enable SBM to locate LDAP user objects on separate servers in the event that some users can not be found in the primary server's LDAP directory. If your LDAP directory entries are split across two or more LDAP servers, the primary LDAP server can be configured to respond to queries in multiple ways:
- If the primary server enables "chaining", it will automatically search any secondary servers and build a list of responses as though all the entries were on the primary server. In this scenario, SBM does not need to be configured to search other servers.
- If the primary server does not enable "chaining", it may return "referrals" for the secondary servers. In that case, SBM must either follow the referral by directing a new search request to the secondary server, otherwise SBM will not find any directory entries that are not on the primary server.
If all of the entries of interest to SBM are on the primary server or if the primary server enables chaining, then SBM does not need to follow referrals; if there are necessary entries on a secondary server and the primary server does not do chaining, then SBM should be configured to follow referrals.
Note: There are some limitations on how SBM will interact with secondary LDAP servers when following referrals. Because the Search DN and password may only be applicable to the primary server, queries to secondary servers will be performed anonymously. Consequently, the secondary LDAP servers must allow anonymous searching and authentication in order for SBM to follow referrals successfully.
Search DN
Type the distinguished name of an LDAP user account that has permission to search and read other user accounts that are to be authenticated in or imported into SBM. If your LDAP provider allows anonymous searches, this box can be empty. If a DN is provided, however, it must be an active and valid LDAP account located in the same root level directory specified in the Search Base and not in a subordinate container. The DN must be able to search all subordinate containers, so it must be placed in a root level directory that encapsulates the rest of the containers that hold your user accounts.
Password
In the Password box, type the password for the user account specified in the Search DN box. The password is encrypted before it is stored in the SBM database.

LDAP Attributes Sample Data

This section contains sample data to assist you in mapping LDAP attributes to SBM attributes. Initially, the section does not contain any information. Click Refresh to populate the section with LDAP attributes and sample data from a user in your LDAP store. Click Refresh to see sample data from other users in your LDAP directory.

User accounts are listed based on the order they are stored in the LDAP directory.

LDAP Logging and E-mail Options

Use these options to send a copy of the import log file by e-mail when the import process completes and to send e-mail messages to newly imported users.

The Notification Server must be configured and running to send import logs and new user confirmations. On-premise customers use SBM Configurator to manage the Notification Server. The Notification Server is enabled in on-demand systems.

Change these options as needed:

Send the log by e-mail when import completes
This check box is selected by default. Clear it to stop the import log from being sent by e-mail.
E-mail
By default, the user logged into SBM Application Administrator when the import process is started is sent the log message. Change the e-mail address as needed. To send the log to multiple addresses, separate each address with a comma.
Log Level
In the drop-down list, select one of the following options:
- None
  Select to disable logging.
- Minimal
  Select to log minimal information about LDAP imports and updates, such as the number of users imported and updated.
- Detailed
  Select to log detailed information about LDAP imports and exports, including field mapping assignments.
- Verbose
  Select to log detailed trace information about LDAP imports and exports, such as the login IDs of the accounts imported or updated. If you are experiencing trouble with this feature, set the logging to Verbose to assist you or Serena support staff in diagnosing problems.
Send notification e-mails to created users
Select this check box to send e-mail messages to newly imported users. The message is sent to the address that is added during the import process and includes login information. Users must change their password on their first login attempt.
Note: On-premise customers can use SBM System Administrator to modify the template for e-mails sent to newly imported users. This template is located on the External Users tab of the Settings dialog box.